1

I see here and here (under Connecting to Your Linux Instance if You Lose Your Private Key) ways to access EC2 instance without a .pem file that was created when the instance was created.

I would like to secure my EC2 so NO-ONE without the .pem file (that I have locally on my machine) will be able to access it.

BTW, I still have in the ec2 the keypairs of instances (public, fingerprint)

How can I do it?

Community
  • 1
Dejel
  • 195

2 Answers2

2

You didn't come out and say this right away, but you have given AWS console access to someone who you don't trust. That is the problem you need to solve. What you've done is equivalent to giving someone physical access to you server. Once you've done that, all bets are off. Game over.

So, the first thing that you need to do is revoke this person's access to your AWS account. After you've done this, all you need to do is protect your private key (which it already sounds like you're doing) and the chances of your servers being compromised via SSH are essentially zero.

EEAA
  • 110,608
1

You have a few options to control access. Take as many of these approaches as you can.

  1. Use instance store backed EC2.
  2. Setup MFA on your AWS console.
  3. Setup Security Groups on your EC2 machine.
  4. Add a passphrase to your SSH private key.
  5. Disable password auth to SSH.
  6. Disable root login to SSH.
  7. Audit all user accounts for SSH public keys.

If you do all of the above steps, you have prevented the workaround described above in your question. The approach laid out in my answer can be considered "defense in depth" meaning making sure to solve the problem in multiple layers. Thus, even if there is a compromise or mistake on one layer, the others will prevent accesss.

Community
  • 1
dmourati
  • 26,498